Watch out! A sophisticated spyware campaign is getting the help of internet service providers (ISPs) to trick users into downloading malicious apps. Hermit, a modular spyware from Italian vendor RCS Labs that not only can steal data but also record and make calls.
Researchers from Google Threat Analysis Group (TAG) revealed details in a blog post by TAG researchers Benoit Sevens and Clement Lecigne about campaigns that send a unique link to targets to fake apps impersonating legitimate ones to try to get them to download and install the spyware. None of the fake apps were found on either Apple’s or Google’s respective mobile app stores, however, they said.
What is Hermit spyware
Hermit is a modular surveillance-ware that hides its malicious capabilities in packages downloaded after it’s deployed. What makes it dangerous is the fact that this spyware can not only record audio but also make and redirect phone calls, as well as collect data such as call logs, contacts, photos, device location and SMS messages on the targeted smartphone.
How does the Hermit spyware work?
The spyware is distributed via SMS messages pretending to come from a legitimate source. In the samples that the researchers have analyzed, the spyware impersonated the applications of telecom companies or smartphone manufacturers. Hermit tricks users by serving up the legitimate webpages of the brands it impersonates as it kickstarts malicious activities in the background.
To maintain its cover, the Hermit spyware loads and displays the website from the impersonated company simultaneously as malicious activities kickstart in the background. This spyware is smart. First, it checks if the device it is targeting is exploitable. If the device is confirmed to be exploitable then it will communicate with the C2 to acquire the files necessary to exploit the device and start its root service. This service will then be used to enable elevated device privileges such as access to accessibility services, notification content, package use state and the ability to ignore battery optimization.
It’s suspected that the actors worked in collaboration with the targets’ internet service providers (ISPs) to disable their mobile data connectivity, followed by sending an SMS that urged the recipients to install an application to restore mobile data access.
How can I protect myself from this spyware?
If you’re wondering what Apple and Google are doing to combat this mean bug, Apple revoked all known accounts and certificates associated with Hermit. As for Google, it pushed a Google Play Protect update to all users.
Android and iOS users, on their part, can download the latest version of mobile OS on their smartphones. Additionally, smartphone users should avoid downloading unknown apps or clicking on links from unknown sources.
Last updated:
0 Comments